norm. Threat Bulletin: 30th April 2024

Threat bulletin header

Unveiling the Threat: The Rise of Malvertising in Online Advertising

Malicious advertising or “malvertising’ occurs when an actor uses online advertising as a weapon to deploy malware. Sometimes, minimal user interaction is required to carry out the attack. Clicking a single advertisement on an innocent website has the potential to install unwanted and malicious software.

How does it work?

Website publishers are paid by individuals or companies who wish to display their advertisements on their sites. The publisher may not be aware that the person who has paid for an advert space on their site is doing it for a malicious purpose. This could be done by presenting themselves as a legitimate advertiser or by compromising the publisher’s server.

Minimal user interaction is often required as the malicious code is embedded within the advert, so clicking on it directly isn’t always necessary for the activity to be carried out. If the website that the user is loading is infected, the malware can be downloaded. If the user clicks on an infected advert they may get redirected to another site, which in turn can exploit vulnerabilities within their web browser. The malicious code within the advert is also able to redirect the user to malicious sites that host automated toolkits called exploit kits, which have the ability to scan devices for software vulnerabilities and exploit them.

How to spot malvertisements

There are a few key features that might indicate if an advert is malicious. The advert might appear unprofessional, with spelling and grammatical errors. The advert might seem completely unrelated to any of your previous searches or visited websites, it may be trying to sell an item or a service that seems too good to be true. The advert might be detailing a recent scandal or could be promising you something that appears fake or unrealistic.


Malicious advert

Fig 1: Showing an example of a malicious advert that is too good to be true


Impacts of malvertising

The malware present in the advert has the potential to steal your personal information, it could lead to spyware being installed on your device which results in the harvesting of your credentials through the use of keylogging tools. They may also leave open backdoors, meaning they can have continued access, and they may even share this with other actors.

Any type of malware can be installed on your device, without your knowledge after an encounter with a malicious advert. This can include bots, ransomware and adware (adware is different to malvertising as the ad malware is installed on the device, rather than visiting sites which host infected adverts). The presence of malware can cause your device to become inoperable, hardware components of the machine can also fail as a result of malware.

How to reduce the risk of malvertising

Avoiding malvertising can be difficult due to the volume of digital advertisements present on the internet. As a user, there are a couple of things you can do to try and mitigate the risk: utilise ad blockers and anti-virus software to minimise the risk of running a malicious advert. Update all web browsers, software and extensions to the most current version and refrain from using Java, Flash or prevent them from running automatically when using the web.



What is Malvertising? (
What is Malvertising? (
What is malvertising? (
I’ll make you an offer you can’t refuse… (


New Brokewell Malware Takes Over Android Devices, Steals Data

Overview: Brokewell is a highly sophisticated Android banking trojan. It has the capability to capture a wide range of device interactions, from user inputs such as taps and text to the launching of applications. The malware finds its way onto devices through a deceptive lure, posing as an update for Google Chrome, presented to users while navigating the web browser.


Active Development: Alarmingly, Brokewell is currently in an active development phase and is designed with a potent combination of device takeover and remote manipulation features. This marks a significant threat to Android users.


Discovery: The investigative team at ThreatFabric stumbled upon Brokewell while analysing a seemingly innocuous Chrome update page. This page served as a conduit for deploying the malware.


Previous Targets: Historical scrutiny of past campaigns revealed that Brokewell had previously targeted financial services offering “buy now, pay later” options, such as Klarna. It also masqueraded as the Austrian digital authentication app, ID Austria, showcasing its versatility in deception.


Capabilities: Brokewell’s arsenal is alarmingly comprehensive, with functionalities that extend far beyond simple data theft. The trojan is engineered to mimic the login interfaces of targeted apps to harvest credentials via overlay attacks. It employs its own WebView to intercept and siphon off cookies post-authentication on legitimate sites. It meticulously records every interaction made by the victim on the device, capturing sensitive data entered or displayed. The malware is also equipped to gather detailed information about the device’s hardware and software configurations, access call logs, pinpoint the device’s physical location, and even covertly record audio using the device’s microphone.


Device Control Capabilities: Brokewell possesses an extensive array of device control capabilities. It enables attackers to view the device’s screen in real-time, execute touch and swipe gestures remotely, and perform actions as if they were physically handling the device. This includes simulating button presses and remotely activating the device’s screen to augment the potential for data capture. Additionally, settings manipulation, such as dimming screen brightness or lowering volume to stealthily operate without the user’s awareness, is within its capabilities.


Creator: The brains behind Brokewell is identified as an individual known as Baron Samedit, a figure previously linked to the sales of tools for scrutinizing stolen accounts. Alongside Brokewell, ThreatFabric uncovered another tool — the “Brokewell Android Loader,” also the brainchild of Samedit.



Alert: ‘Brokewell’ Malware Hijacks Androids, Pilfers Personal Data! (
Cyware Daily Threat Intelligence, April 25, 2024 (


Russia Based APT28 Deploys ‘GooseEgg’ Malware via Windows Spooler Flaw Exploit

APT28, a known Russia-linked nation-state threat actor has managed to weaponise a security flaw within the Microsoft Windows Printer Spooler component which has allowed them to deliver a previously unknown customised malware known as GooseEgg. The tool itself has been used since June 2020 and operated in a way that allowed for privilege escalation using a now patched security flaw tracked as CVE-2022-38028 (CVSS Score of 7.8). This flaw was addressed back in October 2022 by Microsoft, with the National Security Agency being credited for reporting the flaw.

According to new findings from Microsoft’s threat intelligence team, APT28 (also known as Fancy Bear and Forest Blizzard) was able to weaponise the security flaw in attacks which targeted a wide variety of countries including Ukraine, Western Europe and the North American government. These attacks targeted governmental, non-governmental, education and transportation sectors respectively.

APT28 was able to use the tools to exploit the CVE-2022-38028 vulnerability in the Windows print spooler service by modifying a JavaScript constraints file and executing said file with SYSTEM level permissions. Microsoft stated that while GooseEgg can be seen as just a simple launcher application, it is capable of spawning other applications which are specified at the command line with escalated permissions, which allows for threat actors to support any follow-up activities such as remote code execution, backdoor installation, and lateral movement through compromised networks.

APT28 has been assessed and is supposedly associated with Unit 26165 of the Russian Federation’s military intelligence agency. They have been active for almost 15 years, and are prominently geared towards intelligence collections in support of Russian government foreign policy initiatives.

In recent months, APT28 hackers have also abused a privilege escalation flaw in Microsoft Outlook (tracked as CVE-2023-23397, CVSS score: 9.8) and a code execution bug in WinRAR (tracked as CVE-2023-38831, CVSS score: 7.8), indicating their ability to swiftly adopt public exploits into their repertoire.

By utilising norm.’s Vulnerability Patch Management module, customers can ensure they are protected against vulnerabilities disclosed via vendor bug bounty programs.



Russia’s APT28 Exploited Windows Print Spooler Flaw to Deploy ‘GooseEgg’ Malware (
Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs (
APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme (
Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials | Microsoft Security Blog
NVD – CVE-2022-38028 (
NVD – CVE-2023-23397 (
NVD – CVE-2023-38831 (

Get norm.’s threat bulletin direct to your inbox

norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below: